How many viruses are made by anti-virus companies?

Discussion in 'other anti-virus software' started by sg09, May 26, 2011.

Thread Status:
Not open for further replies.
  1. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    There is no single technology that offers absolute and perfect malware prevention. Every technology has advantages and disadvantages. You can prevent malware with every security technology, but none offers 100% protection. Every protection technology can and eventually will be attacked and bypassed by malware.

    All serious AV products these days combine as many of the available protection technolgies in one way or another, trying to achieve the highest possible layered protection with the least amount of performance impact.

    If you abstract the data, every protection technology is in the end either blacklisting or whitelisting data.
     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    I don't think virtualization, backups, and updates fit in either category.
     
  3. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    Virtualization does categorize application behaviour, code and resource access. Potential "dangerous" (modifiying) or critical instructions are virtualized. So they are "blacklisted", but not blocked but get a special treatment instead.
    Virtualization can be attacked by malware as other protection technology. Just find a way to break out of the virtualization.

    Backups are no prevention or direct protection technology, they are a convience after a data disaster has struck.

    Updates improve your overall system robustness but you can see them as "blacklisting" (eliminating) exploits.

    BTW, all three methods do not protect you from data theft.
     
  4. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Virtualization can be whitelist as well, when your entire system is sandboxed except for a select few objects.

    Data theft would be handled by encryption, web filter, firewall, application control, and resource access restriction. I believe the first would be blacklist and the last four either.
     
  5. marcuskng

    marcuskng AV Expert

    Joined:
    Feb 19, 2010
    Posts:
    74
    This thread feels so 2003 :)

    /me pops in some "Propellerheads - History Repeating (ft. Shirley Bassey)"

    Bottom line:
    Protection/Prevention is: whatever works, even if only to a certain extent, while keeping the system usable for the vast majority of users.

    As Kurt and Stefan said, there is no perfect solution, only partial solutions to certain aspects of problems that evolve over time. Layering each of these solutions for different aspects gets you closer to the goal of perfection, but the evolutionary aspect will always keep security people on their toes.

    As to AV companies writing malware, I'm sure there's the occasional black sheep among employees out there, just like there's the occasional fireman setting fires, or the police officer that accepts bribes. Human nature i suppose. I can guarantee you though, that for reputable companies there'd be blowtorches and pincers involved (figuratively speaking, we're probably going to be slightly more civilized) should we ever find someone like that amidst our own.
     
    Last edited: Jun 1, 2011
  6. FlimFlam

    FlimFlam Registered Member

    Joined:
    May 23, 2011
    Posts:
    42
    "Hello, is this the IT department?" "Yes, I just got a fake antivirus popup!" "How did that happen?" "I have all the latest updated corporate antivirus available protection technologies in place." "Did I do something wrong?" "Why did I get this?" "The av corporations marketing promised me that I would be completely protected from these infections." "I just spent a lot of money on this av security software when it doesn't really protect me!" "Please help me, IT department!"
     
  7. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    No security solution detects all malware! Your just sounding like a Troll since you only have been here for less than 2 weeks! :rolleyes:

    TH
     
    Last edited: Jun 1, 2011
  8. Matthijs5nl

    Matthijs5nl Guest

    I agree with a lot of observations I have read.

    Everyone can decide what kind of security strategy he or she uses, and in the end no possible security strategy can protect you against all threats.
    I don't feel like the antivirus software industry is standing still, what some forum users try to argue. In fact, I think that lots of people are still perfectly well protected by antivirus software. I have always been using antivirus security products and I still like them.
    Also if you look at what kind of technologies antivirus software nowadays contain, you are already having a so-much acclaimed layered setup. Just take a look at free products like Panda, avast! and AVG. They include so many different technologies that the claim that the antivirus software still only rely on signatures is just wrong. Combine that with the good Windows Firewall, an up-to-date system and some common sense.

    Also I do agree that on-access detection (before a threat is able to perform a malicious action), protection and prevention are in fact all the same. Making a distinction between those three constructs is impossible.

    Next to that there are lots of names for lots of type of security products/techologies. In my eyes just having a technology doesn't say anything about protection, it all depends on how the technology will exactly work in the real world. Therefore I hate the latest development that all security products what to show the meaningless word "cloud" somewhere in the GUI. It is not that having a more cloud computing necessarily implies better protection.
    Other buzzwords: virtualization and sandboxing, and: behavior blocking and HIPS. Really depends on the exact implementation.
     
  9. FlimFlam

    FlimFlam Registered Member

    Joined:
    May 23, 2011
    Posts:
    42
    Hello TH!

    Thank you for your kind words. "No security solution detects all malware!" I couldn't have said it better myself. :)
    Prevention beats Detection every time!
     
    Last edited: Jun 1, 2011
  10. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    With respect "just finding a way to break out of virtualization" is not such a trivial feat,especially if it's locked in with a modern CPU.

    Of course nothing is impossible when it comes to circumventing protections,but there's a very good reason for the explosion of social engineering malware,go for the easiest option with the best returns.Even if they exist,the chances of an ordinary user encountering a "VM buster" are infinitessimal.
     
  11. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    The biggest problem when it comes to security is that the best of the best is only used by those who need it the least.

    The average user wants to click next until the AV installer goes away and then at most see a message from time to time about what was blocked.

    I cant post the full virustotal log (per forum runes) but to answer your question this is the first and last scanned time for a VERY common fakealert infection:

    First seen: 2011-06-01 18:45:56
    Last seen : 2011-06-01 18:45:56

    This is becoming a common occurrence and is the marker of a per download polymorphic infection. If you were to add up every possible morph for every single polymorphic infection every day I a sure the number would be so large as to be completely meaningless.
     
  12. adrenaline7

    adrenaline7 Registered Member

    Joined:
    Apr 27, 2011
    Posts:
    128
    I remember one of the latest AV comparatives showing real time protection of several AV's (Norton, Panda, Esset, MSE, Avast, etc) and Panda came in first by blocking 63% of malware real time. I understand nothing is 100% but 50-60% is so low I'm more confident in using other methods for pure prevention purposes like HIPS or virtualization or LUA/SRP and system hardening. I personally haven't been able to bypass Online Armor, or a LUA/SRP system before, I'm sure it can be done but its waaaaay more effective than 63%.
     
  13. Matthijs5nl

    Matthijs5nl Guest

    You are probably refering to the retrospective test? That test is irrelevant, therefore many vendors didn't participate in the very latest test. It does only test offline generic/heuristic detections. Which means that the following technologies are not reflected in the results: malware signatures, reputation-based detection, behavior-based detection, URL filtering, online (cloud) detection and protection through behavior blocking/intrusion prevention.
     
    Last edited by a moderator: Jun 1, 2011
  14. FlimFlam

    FlimFlam Registered Member

    Joined:
    May 23, 2011
    Posts:
    42
    Well, maybe the "best of the best" as you say can be used by the "average" users through proper education.
    And to think that this statement comes from a major brand-name av software representative. Can you imagine if that (true) statement was seen on their product website?
     
    Last edited: Jun 1, 2011
  15. Stefan Kurtzhals

    Stefan Kurtzhals AV Expert

    Joined:
    Sep 30, 2003
    Posts:
    702
    FlimFlam, you still haven't answered what malware prevention is according to your point of view. One could really get the impression that all you want to do is trolling around.

    Where is the surprise, there is no 100% protection. Nobody is claiming that, or can you provide anything for this claim? Did you ever read the AV EULAs? I guess not.

    I think the last one claiming that there is 100% protection was Zvi Netiv. :D
     
  16. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,072
    Location:
    Texas
    Blast from the past! :D
     
  17. adrenaline7

    adrenaline7 Registered Member

    Joined:
    Apr 27, 2011
    Posts:
    128
    point is, its less effective then HIPS or sandboxing or LUA/SRP despite those technologies.
     
  18. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,102
    Location:
    North Carolina USA
    Having read this thread I only smile at what has been said. In the end what one product do most folks rely on and stay safe with. Yep, a good Antivirus product..

    Why? Because they still work. The one thing you are missing Hungryman is, no product can protect you against poor surfing habits. And that is the truth.

    Your first line of protection starts with 70 percent water. That would be you HungryMan.;)
     
  19. FlimFlam

    FlimFlam Registered Member

    Joined:
    May 23, 2011
    Posts:
    42
    You never asked me, you asked someone else and they never responded. But since you've finally asked me personally, I'd be most happy to.

    "what malware prevention is according to your point of view."

    Let's see, prevention. Hmmm....The ISPs? Interpol? Cooperation from Government(s)? New International laws? Enforcing the laws we've already got? Instead of globally, I'll start locally on the user's machine. First, The educated Internet user is the greatest antivirus in the world. Second, a good router and utilizing proper security configuration(s) in the browser and in the Windows O/S. Third, a properly configured, world-renowned, name-brand, security product (like yours ;)). As of late though, antivirus software alone is like white-wall tires on a car, it looks good, but it doesn’t make the car any safer or go faster. :D

    "One could really get the impression that all you want to do is trolling around."

    Or instead, is it when someone challenges you, they’re a troll. This thread started with a question as to whether or not antivirus companies secretly create malware and release it into the wild, while I don’t think that’s necessarily true, your company needs malware to survive. There are two sides spinning the big malware wheel in the world, you (av software companies) and them (malware coders). It’s kind of fun to sit on the sidelines with a clean computer watching that big wheel keep on turning. But then again, it’s really a bit pathetic.
     
  20. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    Before malwarebytes I did home user IT for a long long time. The average user is not interested in anything other than turning on their computer and using it. Sure there were a few that were information sponges and did not even mind paying me to explain at great length how it all works but that was not common. Hell most users fully believe that malware is nothing more than graffiti and the notion that AV companies are involved in some sort of scan is actually kind of common. Ninja level security is just like real world martial arts. The more you learn the less likely it is that you will ever need to use it.
     
  21. Triple Helix

    Triple Helix Specialist

    Joined:
    Nov 20, 2004
    Posts:
    13,269
    Location:
    Ontario, Canada
    I like that Bruce Thanks for the chuckle! :cool:

    TH
     
  22. FlimFlam

    FlimFlam Registered Member

    Joined:
    May 23, 2011
    Posts:
    42
    Thank you Bruce. Yes, unfortunately, that has been my experience as an IT Tech as well.

    From your perspective as a software professional, what is the "best of the best" and "Ninja level security"?
     
  23. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    it means there are no solutions. the malware problem cannot be solved anymore than crime, world hunger, poverty, etc. a solution to the malware problem (or likely any other security problem) is impossible and yet somehow our language and word choices suggest the exact opposite and breed complacency and unachievable expectations.

    in short, the epidemic use of the word "solution" in the security field creates a false sense of security - so i classify it as snake oil.

    thank you. i think i could have done better, but it was my first time doing anything like that.
     
  24. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    in normal anti-malware parlance, prevention and detection are 2 parts of the PDR triad (prevent, detect, recover). prevention happens before. detection happens after, when prevention fails. recovery, of course, happens after you've detected something has happened that needs to be recovered from.

    unfortunately, prevention is often used without any indication of what is being prevented, and that tends to confuse people. you can prevent:
    1. exposure to malware (you never come across it)
    2. transfer of malware (you're blocked from downloading it)
    3. access to malware (you can't click on it)
    4. execution of malware (you can't run it)
    5. behaviour of the malware (it can't do what it was designed to do)
    6. consequences of the malware behaviour (it does it's thing but is only given access to expendable resources and/or in an expendable environment)

    after that last point you're no longer in the realm of prevention, but rather detection and recovery.
     
  25. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    nobody reads the EULAs but lots of people read the marketing and the marketing implies 100% protection more often than not. sometimes it's even in the product name itself (mcafee total protection). i gather it's even going to make it into a company name pretty soon.

    so zvi isn't really the last one to claim it. actually, he's not even the last one to have used those exact words.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.